company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
The Benefits and Challenges of Open Educational Resources
Ransomware - Hijacking Your Data
1. Ransomware:
Hijacking Your Data
By Richard Wang and Anand Ajjan, SophosLabs
“Federal Bureau of Investigation. Attention! Your computer has been locked.”
For the last two years users have increasingly been faced with messages like
this and demands for money in exchange for access to their PCs. But these
are not the actions of law enforcement, quite the opposite—it’s an example
of ransomware. This paper looks in depth at ransomware variants and
delivery mechanisms, and how you can protect your data with a complete
security strategy.
2. Ransomware: Hijacking Your Data
Ransomware vs. fake antivirus
Ransomware may often be compared to fake antivirus in the way it operates and the
motivation behind it. However, what differentiates ransomware from fake antivurus is the
way they manipulate human tendencies and fears. Fake antivirus plays on the security fears
and calls for the user to take actions in self-preservation, whereas ransomware works either
as extortion or punishment.
Fake antivirus is one of the most frequently-encountered and persistent threats on the web.
This malware, with over half a million variants, uses social engineering to lure users onto
infected websites with a technique called Blackhat SEO (Search Engine Optimization).
According to Google Trends, ransomware has recently surpassed fake antivirus in terms of
user queries on Google.
Fig. 1: Ransomware more popular search term than fake antivirus since late 2011
The graph above shows ransomware has been a more popular search term than fake
antivirus since late 2011. This strongly suggests that malware authors find ransomware
to be more profitable and convincing than fake antivirus. Another reason for ransomware's
success is the fact that the makers of the Blackhole exploit kit include ransomware in their
distribution system.
A Sophos Whitepaper March 2013
2
3. Ransomware: Hijacking Your Data
The ransomware timeline
Early variants—SMS ransomware
Some of the earliest variants lock the user’s computer and display a ransom message. The
message instructs the user to send a code via text message to a premium-rate SMS number.
The user would then receive a message containing the corresponding unlock code which
would allow them to use their computer. In these cases the ransom paid was the cost of the
premium rate text message.
First-stage evolution—winlockers
This variant also locks the user’s computer but rather than displaying a simple demand for
payment, it also uses social engineering techniques. The message displayed to the user
claims to be from a law enforcement agency and indicates that the required payment is a
fine for illegal activity on the computer such as distributing copyrighted material. The fine is
required to be paid using an online payment system such as Ukash or Paysafecard.
This type of ransomware is commonly known as a winlocker ransomware. In this version,
the cost of the “fine” is much larger than the cost of the premium rate text message as seen
earlier. The payment currency is based on the region where the user is located—i.e., $100,
£100 or €100, etc.
Advanced evolution—file encryptors
In these variants, in addition to locking the window screen, the ransomware encrypts the
user’s files using various complex encryption algorithms. The user is asked for a “ransom
amount” in order to decrypt the files. The user is required to make payments via online
payment systems such as those mentioned above. This type of ransomware is identified as
file encrypting ransomware.
A Sophos Whitepaper March 2013
3
4. Ransomware: Hijacking Your Data
Fake FBI ransomware
Ransomware authors quickly realized that antivirus vendors can easily provide a solution
to unlock the machine without sending an expensive SMS. Thus they changed gears and
adopted a different method.
This variant asks the user to make the payment via an online payment service. In reality, it
is not feasible to track the recipient of the ransom amount. The warning messages in this
version are delivered based on the geolocation of the user.
Some of the variants also require the user to email a 19-digit code received as an
acknowledgement to the payment made to Ukash, Paysafecard or MoneyPak in order to
receive the unlock code.
Fig. 2: Fake FBI ransomware
State of play
SophosLabs see winlocker ransomware more regularly than file encrypting ransomware.
This could be due to the fact that encryption-decryption techniques require more
development work than the usual Winlockers, which can be developed and maintained easily.
A Sophos Whitepaper March 2013
4
5. Ransomware: Hijacking Your Data
Ransomware delivery mechanisms
This section describes the various means or delivery mechanisms used by the malware
authors to propagate ransomware to the user, largely over the web.
Exploit kits
An exploit kit is a type of a tool that exploits various security holes in the software installed
on a computer. A cybercriminal buys such an exploit kit and includes the malware that they
wish to deliver by exploiting compromised legitimate websites.
For example, Blackhole takes advantage of the vulnerabilities that exist—often Java or PDF
software—to install malware on end users’ computers without their interaction, in a drive-bydownload manner.
Below are the few ransomware variant names delivered via Blackhole:
ÌÌ Executable binary: Troj/Ransom-ML, Troj/Reveton-BP and Troj/Katusha-CJ etc.
ÌÌ Memory detection: Troj/RevetMem-A
ÌÌ Javascript: Troj/JSAgent-CW
ÌÌ Link files: CXmal/RnsmLnk-A
Spam email attachment
The ransomware arrives via spam messages containing malicious attachment as shown
below. One such example asks the user to open an attachment and presents an email with a
convincingly legitimate appearance.
Fig. 3: Spam email attachment
A Sophos Whitepaper March 2013
5
6. Ransomware: Hijacking Your Data
Once the user opens the .zip attachment, the binary inside the .zip executes and drops a
ransomware on the system. This in turn may contact a command and control (C&C) server
to download the lock screen image. This particular variant is detected as Troj/Ransom-JO.
Closer look: Winlockers and file encryptors
To illustrate the operation of ransomware scams we’ll take a closer look at the two most
common types—winlockers and file encryptors.
Closer look: Winlockers
The first thing a victim will see when they encounter a winlocker is a screen such as fig
4. However, even before this screen is displayed the ransomware has been at work in the
background.
Fig. 4: Winlocker screenshot
In order for the social engineering to be believable the message displayed must be relevant
to the victim. A person in France is unlikely to consider paying a fine to the FBI so the attack
must match the correct police authority to the user. This is done by taking the IP address of
the infected computer and using a database to convert the IP to a physical location. Once the
location is known the corresponding message and graphics are downloaded and displayed.
Winlockers may have a wide variety of messages available, customized for attacks around
the world.
A Sophos Whitepaper March 2013
6
7. Ransomware: Hijacking Your Data
Fig. 5: Localized language versions
The message is presented as a full-screen window, blocking access to any other programs
and leaving the PC unusable until the lock is removed. The ransomware will typically install
itself so that rebooting the PC will just result in returning the user to the ransom screen.
The message accompanying the lock attempts to be as persuasive as possible in
encouraging the user to pay. The payment is often presented as a fine or administrative
charge, imposed in response to illegal activity on the PC.
The alleged crimes range from illegal file sharing to exchange of child pornography. Some
winlockers also activate the PC’s webcam and display an image of the user, presumably to
reinforce the message that they are being observed.
Payment is by means of a prepaid card such as Ukash or MoneyPak. The ransom message
includes a list of locations where then card can be purchased. The associated payment
code can then be entered directly into the ransomware, at which point it will be sent to the
attacker who can collect the payment.
A Sophos Whitepaper March 2013
7
8. Ransomware: Hijacking Your Data
Fig. 6: Payment instructions
Closer look: File encryptors
File encryptors take a different approach to their ransom demands. Rather than using social
engineering they make no pretense to be anything other than a ransom demand.
Fig 7: File encryptor
File encryptors do not block access to the entire PC. Instead they target files that are likely
to be valuable to the user, such as documents, images, financial records, etc. The PC is left
in a usable state but the user’s critical data is unavailable. The files are encrypted to prevent
the user from accessing them and a payment is demanded to decrypt them.
In common with winlockers the payments are often requested in the form of prepaid online
payment cards or codes. However, unlike winlockers, removing a file encryptor is not the
end of a user’s problem. Even if the ransomware is removed the files remain encrypted and
inaccessible.
A Sophos Whitepaper March 2013
8
9. Ransomware: Hijacking Your Data
The history of file encryptors has involved progressively complex encryption methods. The
earliest versions used simple, home-grown encryption that was easily reversed. Security
companies responded by providing cleanup tools that would recover the encrypted files.
Attackers then moved on to more robust commercial algorithms but again failed to
implement them securely, allowing cleanup tools to remain effective.
The latest file encryptors take advantage of multi-stage enterprise grade encryption and
public key algorithms using unique encryption keys for each victim. This makes them
essentially uncrackable without the private key known only to the ransomware’s author.
The effectiveness of ransomware at separating a user from their files leads to an inevitable
question. Should victims pay the ransom to retrieve their files? Unfortunately the evidence
available to answer this question is mostly anecdotal.
Many victims report paying a ransom only to be left with encrypted files. Some report that
paying the ransom did indeed result in the return of their files. Occasionally the ransomware
itself answers the question by not including a mechanism to reverse the encryption. In those
cases it is obvious that the author has no intention of returning the files whether the ransom
is paid or not.
Ultimately, a victim is at the mercy of the ransomware author, someone who has already
chosen an unscrupulous and illegal method of making a living. Should you trust such a
person? No. Our advice is never to pay the ransom.
Targeting users based on geo-specific location
Most of the ransomware lock screen images target the geo-specific location of the user’s
system. So far SophosLabs has seen around 20 countries that are targeted by ransomware
showing warning messages in languages specific to the country.
Some of the winlocker download URIs for ransom images are unencrypted and can be
downloaded directly through the web browser. In some of the variants, the URIs are in
encrypted form so that it can evade any standard network based rule detection from
blocking these images.
A Sophos Whitepaper March 2013
9
10. Ransomware: Hijacking Your Data
The picture below shows the encoded URIs:
Fig 8: Encoded URIs
Some variants, as shown below, store URIs in unencrypted form:
Fig 9: Unencrypted URIs
A Sophos Whitepaper March 2013
10
11. Ransomware: Hijacking Your Data
Defending against ransomware
The best protection is preventing the ransomware from getting to your systems. Web-based distribution is
the most common means of spreading ransomware. Web gateway protection provided by the Sophos UTM or
endpoint web protection built into Sophos Anti-Virus defends against web-based attacks.
Sophos Anti-Virus on the endpoint also includes HIPS behavior monitoring technology to proactively detect
malware, including ransomware. Ensuring you have HIPS and full on-access protection enabled gives you the
best opportunity to detect and stop ransomware.
Some examples of Sophos detection for ransomware:
ÌÌ HPMal/Matsnu-A
ÌÌ CXmal/RnsmLnk-A
ÌÌ Troj/RansmMem-A
ÌÌ Troj/RevetMem-A
ÌÌ Troj/Ransom-*
ÌÌ Mal/Ransom-*
ÌÌ Mal/Reveton-*
ÌÌ Troj/Matsnu-*
There are also many more generic detections such as Mal/Encpk-*, which include both ransomware and
other malware that shares common properties.
In addition to security tools, some data backups can help victims to recover from file encrypting ransomware.
If data is backed up it can be safely restored once the ransomware is removed.
The complete security system
In this paper, we have discussed various types of ransomware, delivery mechanisms, and different encryption
techniques deployed to lock the computer screen using Windows APIs. SophosLabs analyzes such
ransomware types on a daily basis and monitors their development to ensure effective protection for users of
Sophos products.
Today’s fast, targeted and silent threats take advantage of our ever-more open networks and the new
technologies that support an increasingly mobile workforce. To combat this, organizations need depth to
their security strategy to cover endpoints, networks, servers, data, email and web usage, and mobile devices.
And it’s crucial that protection is consistent and easy to administer—so it can work at every point across the
entire network, just like security threats do.
A Sophos Whitepaper March 2013
11